July 8, 2022
China Issues Final Rules for Cross-Border Transfer Security Assessments
3 Min Read
The Cyberspace Administration of China (CAC) issued a set of final rules that will apply to organizations looking to conduct overseas transfers of data out of the People’s Republic of China. These rules build off a draft version, issued at the end of October 2021, and follow other recent developments (e.g., the CAC SCCs draft, and the TC260’s Technical Specification for the Certification of Cross-Border Processing of Personal Information).
The final rules cover the following points:
Cross-border data transfers requiring security assessments
The CAC has defined which cross-border transfers need to undergo government security assessments. These transfers include:
- Transfer of important data
- Critical information infrastructure operators and data processors that process PI of more than 1 million individuals
- Data processors who have transferred PI of 100,000 individuals or sensitive PI (SPI) of 10,000 individuals abroad since January 1st of the previous year
- Other situations as stipulated by the CAC
The term “important data” is defined within the rules as data that may endanger national security, economic operations, social stability, or public health and security if it is tampered with, destroyed, leaked, or illegally obtained or used.
Procedures and timeline of the CAC security assessment
Prior to applying for a security assessment, the organization exporting data must also conduct a self-assessment with a report that includes the following points:
- Justification of the transfer’s necessity
- An assessment of the recipient country’s data protection policies and regulations, and whether the recipient meets requirements under the laws of China
- The scope, size, type, and sensitivity of the data and the risks of it being tampered with or destroyed
- Whether responsibilities and obligations have been fully stipulated in the contract between the transferor and the recipient
While the CAC security assessment remains valid for two years, in the case of changes to the transfer circumstances, the recipient country’s data laws, or other major situational changes, a new assessment must be conducted.
What this means for organizations
The final rules are set to take effect on September 1, 2022. As with the entry into effect of the PIPL and DSL, this leaves a small amount of time for organizations to prepare for compliance. This means that the affected organizations need to look at their current cross-border transfer mechanisms over the next two months and adjust them accordingly.
These rules issued by the CAC come on the heels of draft SCCs dealing with the transfer of PI out of China. With the CAC making a clear push to regulate overseas transfers out of China, organizations need to ensure they are on top of these regulations with the appropriate compliance measures in place.